490 likes | 592 Views
Smart Phone Security & Privacy: What Should We Teach Our Users?. Norman M. Sadeh Professor, School of Computer Science Director, Mobile Commerce Lab. Carnegie Mellon University www.cs.cmu.edu/~sadeh. Outline. Smart phone security and privacy awareness : unique challenges
E N D
Smart Phone Security & Privacy: What Should We Teach Our Users? Norman M. Sadeh Professor, School of Computer Science Director, Mobile Commerce Lab. Carnegie Mellon University www.cs.cmu.edu/~sadeh
Outline • Smart phone security and privacy awareness: unique challenges • Phishing: much worse with smart phone users • What can we do? • Mobile Apps and Social Networking • What we can we teach users? • Concluding remarks • Q&A EDUCAUSE Webinar – April 2011 - Slide 2
SMART PHONE SECURITY and PRIVACY AWARENESS:UNIQUE CHALLENGES EDUCAUSE Webinar – April 2011 - Slide 3
Cyber Security Training Awareness …Has been compared to trying to nail Jell-O to a wall EDUCAUSE Webinar – April 2011 - Slide 4
Yet… • Filters, firewalls, IDS etc. have their limitations • Users are the last line of defense • Universities: A Dual Objective • Protect the university’s infrastructure and sensitive data • Educational mission EDUCAUSE Webinar – April 2011 - Slide 5
Universities • Diversity of users • Faculty, staff, students • Diversity of cultures and environments • Fragmented administration • Diversity of needs • Research vs. education vs. admin • Diversity of devices • Some managed & some not • ...Yet the price of security breaches can be dire… EDUCAUSE Webinar – April 2011 - Slide 6
Smart Phones: The New Frontier Smart Phone Adoption to Approach 50% in the US in 2011 EDUCAUSE Webinar – April 2011 - Slide 7
…Along the Way… • Our cell phones are now coming with the same vulnerabilities we have on our computers… …and more… EDUCAUSE Webinar – April 2011 - Slide 8
Universities at High Risk University Students… EDUCAUSE Webinar – April 2011 - Slide 9
Mobile Email & Social Networking are Big EDUCAUSE Webinar – April 2011 - Slide 10
Diversity of Devices & OS’s Best practices are harder to articulate EDUCAUSE Webinar – April 2011 - Slide 11
The Biggest Security Risk? Millions of cell phones lost or stolen each year EDUCAUSE Webinar – April 2011 - Slide 12
Lost or Stolen Phone…. • Private data & sensitive apps • e.g. contacts list, pictures, phone calls, messages, email, calendar, apps, etc • Risk of someone using your phone • Impersonating you – SMS, voice, email, social networks, etc. • Placing expensive international calls • Reselling your phone • etc. EDUCAUSE Webinar – April 2011 - Slide 13
What Can We Teach? • Don’t leave your phone unattended • Goes beyond theft and loss: malware is easy to install • Use a PIN to protect your cell phone • Different options (e.g. iPhone) • Write down your IMEI number as well as phone make and model and cell phone number • Quickly report lost/stolen phone EDUCAUSE Webinar – April 2011 - Slide 14
Quickly Tips Become Device-Specific Requires MobileMe Loud noise + contact info + map EDUCAUSE Webinar – April 2011 - Slide 15
Remote Erase • A number of solutions… • …Hopefully you’ve backed up your data • …Some products combine both back up and “remote wipe” • Watch out for malware - read reviews and select reputable solutions… EDUCAUSE Webinar – April 2011 - Slide 16
Dangers of Multi-Tasking • Phone call, SMS, email, etc. • While driving, crossing the street.. • Illegal in some places • Not wise elsewhere EDUCAUSE Webinar – April 2011 - Slide 17
Understanding the risks… • Even more challenging than on a computer • Cell phones are highly personal devices with access to lots of sensitive information • …yet fewer people understand the risks • Lots of different cell phone models • Not all with the same functionality or settings… • Users need to invest time in understanding and tweaking their security settings EDUCAUSE Webinar – April 2011 - Slide 18
Different Activities Lead to Different Risks • Voice • Email • SMS • Bluetooth • Browsing • WiFi • Location • App Downloads • Social networks • …and more …A rather daunting task… EDUCAUSE Webinar – April 2011 - Slide 19
PHISHING: MUCH WORSE ON SMART PHONES EDUCAUSE Webinar – April 2011 - Slide 20
E-Mail Phishing: Worse on Mobile Phones • Trusteer – Jan 2011: • Mobile users are first to arrive at phishing websites • Mobile users 3x more likely to submit credentials than desktop users EDUCAUSE Webinar – April 2011 - Slide 21
Beyond e-mail Phishing • SMS-ishing • Vishing • IM phishing • Phishing via social networks • Phishing apps EDUCAUSE Webinar – April 2011 - Slide 22
What To Do? • Better filters can help • Most spam filters rely on manually maintained blacklists that are several hours behind • Example: Wombat’s PhishPatrol • Teach people to recognize traps in phishing emails EDUCAUSE Webinar – April 2011 - Slide 23
Training via Mock Attacks: PhishGuru • Teach people in the context they would be attacked • If a person falls for simulated phish, then show intervention as to what just happened • Unique “teachable moment” EDUCAUSE Webinar – April 2011 - Slide 24
Select Target Employees Customize Fake Phishing Email EDUCAUSE Webinar – April 2011 - Slide 25 EDUCAUSE Webinar – April 2011 - Slide 25
Select Target Employees Customize Fake Phishing Email Select Training EDUCAUSE Webinar – April 2011 - Slide 26 EDUCAUSE Webinar – April 2011 - Slide 26
Select Target Employees Customize Fake Phishing Email Select Training Hit Send Internal Test and Approval Process EDUCAUSE Webinar – April 2011 - Slide 27 EDUCAUSE Webinar – April 2011 - Slide 27
Select Target Employees Customize Fake Phishing Email Select Training Hit Send Monitor & Analyze Employee Response Internal Test and Approval Process EDUCAUSE Webinar – April 2011 - Slide 28 EDUCAUSE Webinar – April 2011 - Slide 28
It works! Reduces the chance of falling for an attack by more than 50% ! percentage (Actual Results) EDUCAUSE Webinar – April 2011 - Slide 29
Reinforce with Training Modules – Incl. Games • Traditional training doesn’t work - but people like games • Games teach users about phishing • People more willing to play games than read training • Shows higher long-term retention EDUCAUSE Webinar – April 2011 - Slide 30
Teaches people to identify “red flags” in fraudulent emails EDUCAUSE Webinar – April 2011 - Slide 31
Phishing is a Generic Threat • It is possible to identify device-independent tips and strategies • It is possible to teach these tips and strategies in a matter of minutes • Universities like CMU are using PhishGuru and training games (Phil and Phyllis training games) to train staff, faculty and students • A dedicated anti-phishing email filter can also make a difference (e.g. PhishPatrol) EDUCAUSE Webinar – April 2011 - Slide 32
MOBILE APPS & SOCIAL NETWORKING: WHAT CAN WE TEACH USERS? EDUCAUSE Webinar – April 2011 - Slide 33
Social Networking – Facebook, Twitter & Co. • Sharing is wonderful… • …until you regret you did it • Think and ask yourself whether: • You really know who you are sharing with • A week or a year from now, you’ll still be happy you did • Colleagues, friends, new acquaintances… • Beware of pictures and links that seem to come from friends…. EDUCAUSE Webinar – April 2011 - Slide 34
All Those Great Apps EDUCAUSE Webinar – April 2011 - Slide 35
Malicious Apps • In January of 2010, the first malicious mobile banking app was detected • Stole your banking credentials • Android doesn’t review applications • Apple does, but that’s no guarantee • Many apps collect a lot more information than they need to – e.g. location EDUCAUSE Webinar – April 2011 - Slide 36
Some Recommendations • Research apps before you download them • Best to wait until enough other people have tried them • Check ratings – but do not rely entirely on them • If you are courageous, take time to review privacy provisions • Possibly create a Google alert for apps you download EDUCAUSE Webinar – April 2011 - Slide 37
Location Sharing Apps. EDUCAUSE Webinar – April 2011 - Slide 38
Also referred to by some as… EDUCAUSE Webinar – April 2011 - Slide 39
If you are going to share your location, at least do it under conditions you control EDUCAUSE Webinar – April 2011 - Slide 40
Promoting Our Own Location Sharing Platform • More expressive privacy settings • “My colleagues can only see my location when I’m on campus and only weekdays 9am-5pm” • Invisible button • Auditing functionality • Available on Android Market, iPhone client, Ovi, laptop clients • Tens of thousands of downloads over the past year www.locaccino.org EDUCAUSE Webinar – April 2011 - Slide 41
CONCLUDING REMARKS EDUCAUSE Webinar – April 2011 - Slide 46
Concluding Remarks • Cell phones are wonderful devices … • Most of us can’t even remember how we could operate without them • …Yet they come with many risks • …General guidelines are difficult to articulate • Diversity of cell phones and usage scenarios • Yet in some areas such as phishing, results indicate that training can make a difference • We are extending this approach to mobile security at large EDUCAUSE Webinar – April 2011 - Slide 47
Q&A http://mcom.cs.cmu.edu http://wombatsecurity.com EDUCAUSE Webinar – April 2011 - Slide 48
References • Scientific References • How to Foil “Phishing Scams”, Scientific American, L. Cranor • Teaching Johnny Not to Fall for PhishP. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. ACM Transactions on Internet Technology, Vol. V, No. N, September 2009, Pages 1–31. • Learning to Detect Phishing EmailsI. Fette, N. Sadeh, and A. Tomasic. In Proceedings of the 16th International Conference on World Wide Web, Banff, Alberta, Canada, May 8-12, 2007. • Locaccino scientific publications: www.locaccino.org/science • Case Studies & White Papers • “A Multi-Pronged Approach to Combat Phishing (Carnegie Mellon University case study)” • “Empirical Evaluation of PhishGuru Embedded Training”, • “Cyber Security Training Game Teaches People to Avoid Phishing Attacks” EDUCAUSE Webinar – April 2011 - Slide 49